CVE-2026-45719

MEDIUM 6.5

Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Budibase is an open-source low-code platform. Prior to 3.38.1, the V1 Views API (POST /api/views) accepts a calculation parameter from the request body that is interpolated directly into a CouchDB reduce function definition without validation. Although an internal SCHEMA_MAP object defines the valid calculation types (sum, count, stats), no actual validation is performed against this map before the value is used in string interpolation. A user with Builder permissions can inject arbitrary JavaScript code that will be executed within the CouchDB JavaScript engine when the view is queried. This vulnerability is fixed in 3.38.1.

CWE	CWE-94
Vendor	budibase
Product	budibase
Published	May 27, 2026
Last Updated	May 27, 2026

Stay Ahead of the Next One

Get instant alerts for budibase budibase

Be the first to know when new medium vulnerabilities affecting budibase budibase are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Budibase / budibase

< 3.38.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Budibase/budibase/security/advisories/GHSA-363w-hvwh-w7m6 github.com: https://github.com/Budibase/budibase/releases/tag/3.38.1